Access-lists: Best Practices
The following is a list of rules of thumb that will help you reduce the hardware resources occupied by ACEs:
-
Use contiguous hosts addresses whenever possible. Aggregate host statements in ACEs/object-groups into networks.
-
Use "any" instead of networks, and networks instead of hosts when possible.
-
Try to simplify object-groups. Potentially this can save hundreds of ACEs when the ACLs are expanded. Grouping together individual port statements into a range is an example.
The time it takes to compile a tree is largely irrelevant because while the compilation is taking place, the "old" tree is still in place. Given that compilation time is not a critical factor, the use of a single partition is recommended. For backward compatibility, 2.3(1) ships with 12+2 partitions by default.